Firewalls in firing line as US military plans data-centric network

Firewalls adds complexity, says Air Force general

The US Defense Information Systems Agency (DISA) is planning a complete overhaul of its network architecture that could spell the end for conventional firewalls, the organisation's director has said in comments to armed forces media.

US Airforce Lt General Ronnie Hawkins Jr. was quoted as saying that that the US military's IT service wanted to move from a mesh of firewalls towards a design based on protecting data instead of packets.

He didn't expand on how this would eliminate firewalls but hinted at the complexity of having to manage large numbers of firewalls sited on different network segments used by the service.

"In the past, we've all been about protecting our networks - firewall here, firewall there, firewall within a service, firewall within an organisation, firewalls within DISA," he said.

"We've got to remove those and go to protecting the data. You can move that data in a way that it doesn't matter if you're on a classified or unclassified network, depending on someone's credentials and their need to know."

This sounds like a version of the 'de-perimeterisation' debate that passed into mainstream best practice some time ago, although that form of data-centric design would only reduce firewalls rather than remove them entirely.

His remarks are still significant because they set the agenda for all US military IT thinking.

"We want to be able to normalise our networks to where you can have the collaboration and information moving over our networks and you don't have to have the different firewalls, the separate networks, to get those things done," he said.

"Additionally, the department can realise significant savings in instrumentation - for example, by moving from 'hard phones' to 'soft phones,' he said, presumably a reference to VoIP telephony.

DISA was still at an early stage in deciding how to use cloud technology, he added, and had yet to plump for one owned by the Defense Department, or to adopt a private or public cloud inside a data centre.

"DISA gets it, they really get it," wrote Barry Shteiman, a senior security strategist for security firm Imperva in a blog post on the comments.

"Yes, firewalls are important. They help solve network security problems by creating barriers that prevent unwanted network access. But they do not control data access," he said.

"That's why I find DISA's new approach so fascinating. It's based on the realisation that the threats have changed. Hackers want data like IPs, PINs, credentials, proprietary information, and more. And it's very easy for them to steal data due to poor security controls or outright mismanagement."

Shteiman said he believed that DISA would most likely move to role-based data access, and content control, auditing and monitoring.

"Personally I hope that the DISA's decision becomes a guidepost for other organisations to follow."

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenancesecurityDefense Information Systems Agencyhardware systemsData Centre

More about Defense Information Systems AgencyDISAHawkinsImperva

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts